[AC-1981] Fix CollectionsController.Get auth check by just checking collections for the requested orgId (#3575)

* Fixed auth check by just checking collections for the requested orgId * [AC-1139] Refactor collection authorization logic to check for manage permission * [AC-1139] Remove unnecessary authorization check in CollectionsController * [AC-1139] Remove unused test method * [AC-1139] Remove unnecessary code for checking read permissions
2025-06-30 15:42:48 -05:00 · 2023-12-20 16:34:09 +00:00
parent ca750e226f
commit 72ebb5e66f
4 changed files with 62 additions and 31 deletions
--- a/test/Api.Test/Controllers/CollectionsControllerTests.cs
+++ b/test/Api.Test/Controllers/CollectionsControllerTests.cs
@ -142,7 +142,7 @@ public class CollectionsControllerTests
    }

    [Theory, BitAutoData]
-    public async Task GetOrganizationCollectionsWithGroups_MissingReadPermissions_ThrowsNotFound(Organization organization, Guid userId, SutProvider<CollectionsController> sutProvider)
+    public async Task GetOrganizationCollections_WithReadAllPermissions_GetsAllCollections(Organization organization, ICollection<Collection> collections, Guid userId, SutProvider<CollectionsController> sutProvider)
    {
        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);

@ -152,7 +152,37 @@ public class CollectionsControllerTests
                Arg.Any<object>(),
                Arg.Is<IEnumerable<IAuthorizationRequirement>>(requirements =>
                    requirements.Cast<CollectionOperationRequirement>().All(operation =>
-                        operation.Name == nameof(CollectionOperations.ReadAllWithAccess)
+                        operation.Name == nameof(CollectionOperations.ReadAll)
+                        && operation.OrganizationId == organization.Id)))
+            .Returns(AuthorizationResult.Success());
+
+        sutProvider.GetDependency<ICollectionRepository>()
+            .GetManyByOrganizationIdAsync(organization.Id)
+            .Returns(collections);
+
+        var response = await sutProvider.Sut.Get(organization.Id);
+
+        await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByOrganizationIdAsync(organization.Id);
+
+        Assert.Equal(collections.Count, response.Data.Count());
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetOrganizationCollections_MissingReadAllPermissions_GetsManageableCollections(Organization organization, ICollection<CollectionDetails> collections, Guid userId, SutProvider<CollectionsController> sutProvider)
+    {
+        collections.First().OrganizationId = organization.Id;
+        collections.First().Manage = true;
+        collections.Skip(1).First().OrganizationId = organization.Id;
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(
+                Arg.Any<ClaimsPrincipal>(),
+                Arg.Any<object>(),
+                Arg.Is<IEnumerable<IAuthorizationRequirement>>(requirements =>
+                    requirements.Cast<CollectionOperationRequirement>().All(operation =>
+                        operation.Name == nameof(CollectionOperations.ReadAll)
                        && operation.OrganizationId == organization.Id)))
            .Returns(AuthorizationResult.Failed());

@ -162,10 +192,20 @@ public class CollectionsControllerTests
                Arg.Any<object>(),
                Arg.Is<IEnumerable<IAuthorizationRequirement>>(requirements =>
                    requirements.Cast<BulkCollectionOperationRequirement>().All(operation =>
-                        operation.Name == nameof(BulkCollectionOperations.ReadWithAccess))))
-            .Returns(AuthorizationResult.Failed());
+                        operation.Name == nameof(BulkCollectionOperations.Read))))
+            .Returns(AuthorizationResult.Success());

-        _ = await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.GetManyWithDetails(organization.Id));
+        sutProvider.GetDependency<ICollectionRepository>()
+            .GetManyByUserIdAsync(userId, true)
+            .Returns(collections);
+
+        var result = await sutProvider.Sut.Get(organization.Id);
+
+        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceive().GetManyByOrganizationIdAsync(organization.Id);
+        await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByUserIdAsync(userId, true);
+
+        Assert.Single(result.Data);
+        Assert.All(result.Data, c => Assert.Equal(organization.Id, c.OrganizationId));
    }

    [Theory, BitAutoData]
--- a/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs
+++ b/test/Api.Test/Vault/AuthorizationHandlers/BulkCollectionAuthorizationHandlerTests.cs
@ -204,13 +204,18 @@ public class BulkCollectionAuthorizationHandlerTests
    }

    [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanReadAsync_WhenUserIsAssignedToCollections_Success(
+    public async Task CanReadAsync_WhenUserCanManageCollections_Success(
        SutProvider<BulkCollectionAuthorizationHandler> sutProvider,
        ICollection<CollectionDetails> collections,
        CurrentContextOrganization organization)
    {
        var actingUserId = Guid.NewGuid();

+        foreach (var c in collections)
+        {
+            c.Manage = true;
+        }
+
        organization.Type = OrganizationUserType.User;
        organization.LimitCollectionCreationDeletion = false;
        organization.Permissions = new Permissions();